From 71fec167ec25ccdf3f1f3b3683f50353e337c9f0 Mon Sep 17 00:00:00 2001
From: Kasen IO <kasenvr@gmail.com>
Date: Tue, 23 Jun 2020 20:52:48 -0400
Subject: [PATCH 1/2] Prevent a crash for corrupted GLTF models.

Co-Authored-By: hifiexperiments <hifiexperiments@users.noreply.github.com>
---
 libraries/fbx/src/GLTFSerializer.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libraries/fbx/src/GLTFSerializer.cpp b/libraries/fbx/src/GLTFSerializer.cpp
index a7af5518a9..c58d526ef1 100755
--- a/libraries/fbx/src/GLTFSerializer.cpp
+++ b/libraries/fbx/src/GLTFSerializer.cpp
@@ -1239,6 +1239,11 @@ bool GLTFSerializer::buildGeometry(HFMModel& hfmModel, const hifi::VariantHash&
                         int v2_index = (indices[n + 1] * 3);
                         int v3_index = (indices[n + 2] * 3);
 
+                        if (v1_index + 2 >= vertices.size() || v2_index + 2 >= vertices.size() || v3_index + 2 >= vertices.size()) {
+                            qWarning(modelformat) << "Indices out of range for model " << _url;
+                            break;
+                        }
+
                         glm::vec3 v1 = glm::vec3(vertices[v1_index], vertices[v1_index + 1], vertices[v1_index + 2]);
                         glm::vec3 v2 = glm::vec3(vertices[v2_index], vertices[v2_index + 1], vertices[v2_index + 2]);
                         glm::vec3 v3 = glm::vec3(vertices[v3_index], vertices[v3_index + 1], vertices[v3_index + 2]);
@@ -1333,7 +1338,7 @@ bool GLTFSerializer::buildGeometry(HFMModel& hfmModel, const hifi::VariantHash&
                 }
 
                 if (validatedIndices.size() == 0) {
-                    qWarning(modelformat) << "Indices out of range for model " << _url;
+                    qWarning(modelformat) << "No valid indices for model " << _url;
                     continue;
                 }
 

From fe0109aa13fb845c3ac86a6d7e13bc4846cd7c1c Mon Sep 17 00:00:00 2001
From: Kasen IO <kasenvr@gmail.com>
Date: Thu, 2 Jul 2020 23:52:26 -0400
Subject: [PATCH 2/2] Fix crash for indices out of bounds in GLTF.

Co-Authored-By: hifiexperiments <hifiexperiments@users.noreply.github.com>
---
 libraries/fbx/src/GLTFSerializer.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libraries/fbx/src/GLTFSerializer.cpp b/libraries/fbx/src/GLTFSerializer.cpp
index c58d526ef1..8234f2b17d 100755
--- a/libraries/fbx/src/GLTFSerializer.cpp
+++ b/libraries/fbx/src/GLTFSerializer.cpp
@@ -1055,6 +1055,11 @@ bool GLTFSerializer::buildGeometry(HFMModel& hfmModel, const hifi::VariantHash&
 
                 int indicesAccessorIdx = primitive.indices;
 
+                if (indicesAccessorIdx > _file.accessors.size()) {
+                    qWarning(modelformat) << "Indices accessor index is out of bounds for model " << _url;
+                    continue;
+                }
+                
                 GLTFAccessor& indicesAccessor = _file.accessors[indicesAccessorIdx];
 
                 // Buffers
@@ -1093,6 +1098,11 @@ bool GLTFSerializer::buildGeometry(HFMModel& hfmModel, const hifi::VariantHash&
                 foreach(auto &key, keys) {
                     int accessorIdx = primitive.attributes.values[key];
 
+                    if (accessorIdx > _file.accessors.size()) {
+                        qWarning(modelformat) << "Accessor index is out of bounds for model " << _url;
+                        continue;
+                    }
+
                     GLTFAccessor& accessor = _file.accessors[accessorIdx];
 
                     if (key == "POSITION") {